Tutorial: Deep Packet Inspection (nDPI)

Contents

Description

This tutorial details the different features of T2 concerning Deep Packet Inspection (DPI) T2 implements a wrapper for the well known nDPI being widely used by researchers and technicians. Hence, T2 provides the user with a highly effective selection mechanism based on L7 Applications. So producing training and test files for AI experiments is now very easy.

Preparation

In order to do so, we need to prepare T2. If you did not complete the tutorials before, just follow the procedure described below.

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins and compile the following plugins.

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

$ mkdir ~/data
$ mkdir ~/results
$ cd data

The anonymized sample PCAP being used, can be downloaded here: faf-exercise.pcap Please extract it under your data folder. Now you are all set for T2 flow based nDPI experiments.

Flow based nDPI

For network admins or researchers the L7 type of the traffic is great interest. So to select flows with this feature makes it very easy to weed out (un)interesting traffic, reduce the amount of flows or label flows for later AI training and testing. For the latter the nDPI plugin supplies beside the human readable also a numerical output.

We leave the numerical classification off, which is useful for machine learning, as we like to compare nDPI to the L4 ports meaning provided by portClassifier. But if you like you can switch it on. If nDPI is not sure about the classification T2 helps a bit on flow terminate. This feature is enabled by default. If you changed the config, you need to rebuild nDPI, otherwise you can run T2 right away:

If you scroll to the right you will notice the nDPIclass output classifying the traffic. For this simple traffic typ most of the ports match actually the meaning except for the FTP-Data flow. As NDPI_OUTPUT_STATS is enabled nDPI supplies a separate traffic type statistics file shown below.